• State Not Answered
  • Replies 3 replies
  • Subscribers 74 subscribers
  • Views 1043 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 286601
Options

nRF9160 2-stage secure boot and public/private key

Fay Luo

Hi, Nordic Team

  I’m getting started trying to use both MCUboot and NSIB for 2-stage secure boot on nRF9160, and use SEGGER as developed tool. I enable NSIB via “Configue nRF Connect SDK project”, and It works. (I check from the partition.

  Well, The problem comes when I provide public key (adding in Public key PEM file), It said that the key is duplicated (as it was automatically generated from private key), so I change to new public key (never used),and the system is warning the same.

  So I want to make sure that I need to provide only private key when I want to use my own key, for NSIB? Cuz it will automatically generate, if so what the “Public key PEM file” slot work for?

 

  Besides, if it possible to modify merged.hex file with hex file that is not signed? I think MCUboot would not allow it, but I want to make sure if there is the way.

  Thank you.

Parents
  • 0

    Hello,

    1. Where can I find the list of public key hash or provision hex file?

    Provisioned data are stored in privision.hex file (zephyr/provision.hex). This is generated during build time so you will have to build your project to generate this file.  public.pem file is generated like - zephyr/nrf/subsys/bootloader/generated/public.pem in your build folder so build/zephyr/nrf/subsys/bootloader/generated.public.pem. 

    2. Is it okay if I use key generated by OPENSSL while setting ‘CONFIG_SB_SIGNING_PYTHON=y’?

    Yes it is ok. Python does not care how the key is generated whether you use OpenSSL or any other tool to generate the key as long as it is a valid key.

    3. ''As for ‘Checking the public key’ part diff build/zephyr/nrf/subsys/bootloader/generated/public.pem <(openssl ec -in priv.pem -pubout)   ..unfortunately, I cannot fine the path 'build/zephyr/nrf/subsys/bootloader/generated/public.pem' , is there is any suggession?''

    Did you build the sample correctly? Which one you are tying to build and what's the NCS version? I assume the sample was not built properly so public.pem was not generated as a consequence.

    I have run sample ''hello_world'' on nrf9160 DK (  only chnaged I made is add the CONFIG_SECURE_BOOT=y in prj.conf file). After build and flash I got the public key in the above mentioned directory. My directory looks like this: C:\NCS\v1.9.0\zephyr\samples\hello_world\build\zephyr\nrf\subsys\bootloader\generated

    A successful building shows the exact process of generating merge.hex file starting from generating signing key, creating public key from private key used for signing, creating signature of application, provisioned to the bootloader (and storing the provision.hex file), creating validation for zephyr.hex.

    I hope it helps. 

    Thanks.

    Best Regards,

    Kazi Afroza Sultana

Reply
  • 0

    Hello,

    1. Where can I find the list of public key hash or provision hex file?

    Provisioned data are stored in privision.hex file (zephyr/provision.hex). This is generated during build time so you will have to build your project to generate this file.  public.pem file is generated like - zephyr/nrf/subsys/bootloader/generated/public.pem in your build folder so build/zephyr/nrf/subsys/bootloader/generated.public.pem. 

    2. Is it okay if I use key generated by OPENSSL while setting ‘CONFIG_SB_SIGNING_PYTHON=y’?

    Yes it is ok. Python does not care how the key is generated whether you use OpenSSL or any other tool to generate the key as long as it is a valid key.

    3. ''As for ‘Checking the public key’ part diff build/zephyr/nrf/subsys/bootloader/generated/public.pem <(openssl ec -in priv.pem -pubout)   ..unfortunately, I cannot fine the path 'build/zephyr/nrf/subsys/bootloader/generated/public.pem' , is there is any suggession?''

    Did you build the sample correctly? Which one you are tying to build and what's the NCS version? I assume the sample was not built properly so public.pem was not generated as a consequence.

    I have run sample ''hello_world'' on nrf9160 DK (  only chnaged I made is add the CONFIG_SECURE_BOOT=y in prj.conf file). After build and flash I got the public key in the above mentioned directory. My directory looks like this: C:\NCS\v1.9.0\zephyr\samples\hello_world\build\zephyr\nrf\subsys\bootloader\generated

    A successful building shows the exact process of generating merge.hex file starting from generating signing key, creating public key from private key used for signing, creating signature of application, provisioned to the bootloader (and storing the provision.hex file), creating validation for zephyr.hex.

    I hope it helps. 

    Thanks.

    Best Regards,

    Kazi Afroza Sultana

Children
No Data
Related
Terms of service